With the November congressional elections right around the corner, many observers are revisiting a primary theme of the 2016 presidential election—security, hacking, and Russian involvement. It is certainly a contentious topic, but no matter where you fall on the political spectrum, it remains the case that elections are just as vulnerable to cyberattacks as private networks and other sectors of our infrastructure. If digital systems are involved, vulnerabilities and threats may potentially impede function and security. When it comes to election security, the potential for damage is endless.

Elections should be overseen with cybersecurity policies comparable to those found in any organization. In the face of a rapidly changing threat landscape that’s affected both by changing technology and evolving nation-state relationships, collaboration between state and federal governments is the best way to facilitate standardized cybersecurity protocols that focus on both defensive and reactive measures. As of today, election cybersecurity is largely left up to the judgment of individual states. But the sorts of measures that would most likely effect positive security outcomes are best implemented at a national level, where standardized procedures can provide a framework for ongoing improvement.

Communication is critical

In this sector, like any other, remediation efforts should always focus on clear and quick communication. In the event of a breach or hacking attempt, election officials should contact law enforcement as soon as possible. From there, pre-designated responsible parties should construct a response to inform the public of what has occurred, focusing on what will be done to resolve the issue and restore a sound election process. Ultimately, it would be up to the chief election officials to address the public, as they are primarily accountable for cyber preparation.1 Considering the discrepant ways in which elections are administered from state to state, it would also be incredibly valuable for election officials and administrators to use resources such as The Campaign Cybersecurity Playbook (Belfer Center), which examines election processes with the goal of offering threat mitigation support and spreading awareness of election-related vulnerabilities.

Proactive defense measures ideally include policies and procedures governing the “human element” of security. No matter how soundly the technological systems involved in elections are protected, problematic access controls or even phishing scams could compromise results. Election workers should have access to the best education regarding social engineering attacks and clear instruction about who has access to what. This type of security education should not be limited to security professionals, but shared with anyone who has access to digitally collected and stored voter information.

Protecting voter data

Protecting voter information that is stored digitally is an often overlooked aspect of electoral security. Voter databases are by and large outdated and prone to any number of vulnerabilities—and many states have opted not to upgrade their databases against new cyber threats. Issues of data transmission are also paramount to safe elections.
Using insecure data transmission methods via the internet instead of secure network connections (or hard drive transportation, or even paper) is an unnecessary risk. Recognizing the value of voter information is essential in establishing security practices.

Accepting vulnerabilities in our election systems as a fact of the digital age is imperative in building sound cybersecurity protocols and, ultimately, restoring voter confidence. Admitting there’s a problem is half the battle, especially when it comes to addressing large-scale voter concerns head on. As for the responsibility of voters in ensuring safe and fair elections, my best advice as a cybersecurity expert is not to allow discouraging news stories about nation-state interference to prevent you from voting. Don’t give in to the belief that your vote “won’t matter anyway” in the event of a hack. While breaches and tampering are always going to be a possibility as long as we continue to use technology to assist in the voting process, strong remediation plans and recognition of how difficult it is to actually hack an election should be considerations for all voters.

That said, it would seem that just as the human element of technology is easier to hack than the hardware, compromising voter confidence is much easier for would-be hackers than compromising our election systems. As the ongoing investigation of Russia’s involvement in the 2016 election demonstrates, actual hacking and breach events are much less important than making voters believe they happened—or could easily happen. Social engineering attacks rely on getting us to click that phony email link or encouraging us to visit faulty websites that ask us for our personal information. Similarly, Russia’s “hack” of the 2016 election was arguably more a hack of the voters’ psyche than of election technology. Using social media and hoaxed news posts was much more productive in undermining U.S. confidence than attempting to hack particular voting machines or voter databases. While there are inherent security risks with the technological aspects of our elections, I urge voters to weigh the benefits with the risks. In spite of any cybersecurity issues, you ought to go out and vote in November.

MARK LANTERMAN is CTO of Computer Forensic Services. A former member of the U.S. Secret Service Electronic Crimes Taskforce, Mark has 28 years of security/forensic experience and has testified in over 2,000 trials. He is a member of the MN Lawyers Professional Responsibility Board.